By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

unknown security threats? Is there a use case for them in the enterprise?

The problem enterprises have -- along with everyone else who is online -- is ensuring antimalware defenses are able to spot and mitigate the latest attacks. Zero-day exploits are the most challenging threats for any class of security technology to detect as they are completely unknown and the absence of a patch leaves networks and devices exposed. One of the methods being used by antimalware vendors to combat zero-day exploits is sandboxing.

Sandbox technology provides a tightly controlled set of resources -- such as limited access to memory, system files and settings -- which allows the actions and intentions of potentially malicious code to be observed while it executes without jeopardizing the host device. This on-the-fly behavioral analysis of code entering an organization's network means that even attacks using zero-day exploits can be detected as the malicious intentions of the code give it away.

Malware writers are aware of this technique of analyzing their code before it has chance to compromise a system, so many now are adding advanced obfuscation and evasion techniques to dodge being identified by regular sandboxes. One such method is for the code to act benignly if it detects it is being executed in a sandbox environment, or not decrypt and run the exploit code if it is opened directly or in an incorrect context. These evasion techniques mean the challenge now is for sandboxes to reflect a user's environment as accurately as possible and induce an attacker's code to reveal or execute its malicious payload.

One such sandbox is part of Trend Micro Inc.'s Deep Discovery solution. Like most traditional sandbox technology, it's capable of analyzing the behavior of various aspects of a threat: Its scripts, its shellcode and its payload. However, this "smart" sandbox can be configured by administrators to match their system configurations. This means there's a better chance of seeing how custom malware specifically targeting an organization would behave, which will allow administrators to better assess its scope and potential impact on their systems, such as registry changes, dropped files and connections to command-and-control servers.

On-the-fly behavioral analysis of malware is an essential tool in the battle against advanced threats; smart sandboxes that can outsmart malware designed to avoid sandbox analysis are the latest advance in the ongoing arms race between malware writers and those trying to thwart their attacks. Expect to see other antimalware vendors introducing new or similar techniques for trapping malware in a smart sandbox environment for analysis, identification and mitigation. This approach provides more up-to-date protection against zero-day attacks than signature-based checks, and hopefully will put enterprise defenses ahead of attackers -- at least for the time being.

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy